What feds can learn from Coca-Cola's data breach

By Frank Konkel

Jan 28, 2014

Coca-Cola is the latest corporate victim in a string of high-profile data breaches, but unlike the malware-assisted attacks that compromised millions of Nieman Marcus and Target customers' private information, the beverage giant's plight has some clear lessons for federal agencies.

Coca-Cola's breach, first reported Jan. 24 by the Wall Street Journal, involved a former employee stealing company laptops containing the unencrypted personal information of about 74,000 people.

Personal information removed from the company's Atlanta headquarters included the names, Social Security numbers, addresses, financial compensation, ethnicities, credit card and other information linked to employees, suppliers and contractors, forcing the company into damage-control mode.

In a statement, Coca-Cola said the laptops were later recovered and there was "no indication" that personal information was misused. However, the company notified the employees and offered them one year's worth of identify-theft protection services at no charge.

The government can learn three major lessons in mobile security from Coca-Cola's data breach, according Tony Busseri, CEO of Route1, a digital security and identity management company that works with the departments of Defense, Homeland Security and Energy.

"The terminated employee's rights and privileges should have been shut down the moment he was terminated, and it would seem on the surface that it didn't happen," Busseri said. "These are simple protocols we should keep in mind supporting mobility."

A Coca-Cola spokesperson identified the former employee who stole the laptops as someone whose job was to maintain or dispose of equipment. The spokesperson did not specify whether the individual was an employee when the laptops were stolen. Either way, Busseri said, an employee should not have either the physical capability to walk out of headquarters with laptops full of information or the network privileges to access the data.

"Some systems in larger corporate America don't talk amongst each other well, and there can be a failure somewhere along the line," Busseri said. "All it takes is one."

"Why was information of that sensitivity level beyond the firewall of the enterprise, and why wasn't it encrypted?" Busseri asked.

According to Coca-Cola, the company's policy is to encrypt all laptops, but these laptops were not so protected. In a memo the company sent to employees, Coca-Cola did not explain why the stolen laptops were not encrypted.

It is possible the laptop had a VPN connection and unencrypted data was inadvertently saved to the local drive, but the fact remains that the company's mobility policy ultimately failed.

"If your solution supporting mobility is one where there is a risk that information could go out of your network, the policy is not good enough. Anytime you extract something beyond the firewall, it is at risk," Busseri said. This was a case, he said, of "data going with the device."

This has happened in government before, with perhaps the most egregious case coming in 2006 when a Department of Veterans Affairs analyst's stolen laptop and external drive exposed the personal information of 26 million veterans. The VA data was also unencrypted, and ultimately cost taxpayers millions of dollars while seriously damaging the agency's reputation.

Lastly, Busseri said, the terminated employee should not have been able to log into the laptops in the first place. Why wasn't there at least a password protecting the unencrypted, sensitive data on them? Why were they just lying around?
"This individual got a laptop, but how did he get onto it?" Busseri asked. "Was there not even a single level of authentication on it?"

When data breaches occur, Busseri said, corporate America's response is often to implement more employee training and policy updates. He said more effective remedies involve common sense approaches to mobility policies, especially regarding unhinged or upset insiders.

In the arena of mobile security, Busseri said the public sector is far ahead of the private sector, but the lessons still apply.

"Organizations need to do a better job of terminating employees, terminating rights and privileges immediately and ensuring the systems communicate properly," he said. "Second, you should be using remote access solutions that make sure data doesn't leave. What's happened with Coca-Cola is a great proxy in the challenges government is facing. The workforce is mobile and wants to use its own devices. The government needs to extend up that mobility without increasing the security profile."

Reader comments

Thu, Jan 30, 2014
RayW

This article is VERY misleading and the misleading clarifications were very obscure. Was the employee doing this as part of his job? Were the computers part of the internal system that never left the building (some friends say their companies use laptops and docking stations instead of fixed desktops for in facility mobility). The person's job was to dispose of older computers, here that means we turn them in to him (the computer group) and they now remove the hard drives and destroy those (per Air Force regulations they say), and then palletize the remainder for transfer to some private industry (depending on the tracking system and any buddy systems, an easy place to divert units). Unless you read it very carefully, the article makes it seem like he came back inside the plant after being terminated and walked out with the items, kind of hard to do in most federal government buildings I have been in recently.

As a side note, it is my experience (18 years) that industry primarily has two different means of terminations. (Note: as an engineer, I have never worked in a place that did not require a badge to get in.)

1st – A firing or RIF, many places will have someone from security or management walk up to you and tell you to collect your personal items from your desk and walk you out (gets kind of iffy for those who have more than one work area). Although for my last RIF in 1999 we were given four weeks notice and continued working with liberal administrative leave to look for a new job, and this was on classified programs with a defense contractor.

2nd – I am quitting, here is my two week notice. No special action is taken in most cases, although I have heard of a few companies that say "Here is two weeks of pay, collect your stuff and get escorted out."

Wed, Jan 29, 2014

So one of the big lessons is the terminated employee should have his/her rights terminated immediately as well. In private industry, an employee might be sitting at his/her desk and security walks up and says, "your services are no longer needed" and the employee is given 10 minutes to gather his/her personal belongings and is escorted out of the building. This is where this recommendation will lead in the govt.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.